Technique for producing a parameter, such as a checksum, through a primitive that uses elementary register operations

ABSTRACT

A technique which implements a primitive for computing, e.g., a checksum. Specifically, this primitive replaces a mod(M) operation with a series of simple elementary register operations. These operations include mod 2 n  multiplications, order manipulations (e.g., byte or word swaps), and additions—all of which are extremely simple to implement and require very few processing cycles to execute. Hence, use of our inventive technique can significantly reduce the processing time to compute various cryptographic parameters, such as, e.g., a message authentication code (MAC), or to implement a stream cipher, over that conventionally required. This technique has both invertible and non-invertible variants.

BACKGROUND OF THE DISCLOSURE

[0001] 1. Field of the Invention

[0002] The invention relates to a technique for implementing a primitivefor computing, e.g., a checksum. Advantageously, this technique isrelatively simple and uses rather elementary register operations, thussaving significant processing time over that conventionally required tocompute, e.g., a message authentication code (MAC), or implement astream cipher.

[0003] 2. Description of the Prior Art

[0004] Many different cryptographic techniques currently in use todayemploy mathematical functions that include modular arithmetic, typicallycalculating a residue of a number with respect to a relatively largeprime number (M), such as, for example, 2³¹⁻1 or larger. An illustrativesuch function, f(x), would be of the form f(x)=ax+bmod(M) in a Galoisfield (GF) over 2^(n), where n=2m+1, and n and m are predefined integersin a field Z(mod M). While the functions themselves greatly vary fromone technique to the other, they commonly require computation of amod(M) operation of one form or another and usually on a highlyrepetitive basis.

[0005] Not only will such modular operations be used for encrypting eachand every block of plaintext in a message to yield a correspondingciphertext block and decrypting the latter to recover the associatedplaintext block, but also in computing intermediate portions of thetechnique, such as a message authentication code (MAC) or a streamcipher.

[0006] Performing a single mod(M) operation can require as many as 10-15processing cycles, if not more (based on the value of a modulus, M).Since a cryptographic technique requires a large number of suchoperations, a significant amount of processing time, associated withemploying that technique, can be consumed in simply calculating mod(M)operations.

[0007] Cryptographic techniques are increasingly finding use to protectinformation in a wide and expanding variety of highly diverseapplications, as well as in a expanding array of devices, from highlysophisticated general purpose devices, such as, e.g., personal computersand workstations, to relatively simple dedicated devices, such as, e.g.,“smart cards”, remote controls and electronic appliances.

[0008] For example, in view of the ease and low cost of communicating byelectronic mail, the Internet (among other network modalities) isexperiencing explosive and exponential growth as a preferredcommunication medium. However, the Internet, being a publicly accessiblenetwork, is not secure and, in fact, has been and increasingly continuesto be a target of a wide variety of attacks from various individuals andorganizations intent on eavesdropping, intercepting and/or otherwisecompromising or even corrupting Internet message traffic or illicitlypenetrating Internet sites. This security threat, in view of anincreasing reliance placed on use of the Internet as a preferred mediumof communication, exacerbates the efforts in the art to developincreasingly strong cryptographic techniques that provide enhancedlevels of security to electronic communication, such as mail messages,data and computer files, from third-party eavesdropping, interceptionand possible tampering. As a consequence, cryptographic processing isbeing incorporated into an increasing array of personal computersoftware, particularly web browsers and other operating systemcomponents, and electronic mail programs and other application programs,in order to provide secure Internet connectivity.

[0009] A totally different cryptographic application involves so-called“smart cards”. Here, a dedicated credit-card sized device which employsa rather unsophisticated and inexpensive microprocessor, i.e., a “smartcard”, stores bank and/or other financial balances for a correspondingindividual. The microprocessor, using a program stored internally to thecard, can validate a transaction and appropriately change each suchbalance based on the transaction. Specifically, that individual caninvoke an electronic transaction with another party, such as a vendor ora bank, by simply inserting the card into an appropriate data terminaland entering transaction data into a keyboard associated with theterminal in order to debit and/or credit all or a portion of a balancestored on the card. Transacting in this fashion provides aninstantaneous monetary transfer while eliminating any need for and costsassociated with processing paper currency or paper-based monetaryinstruments, such as checks. The stored program utilizes extremelystrong cryptographic techniques to protect the information stored on thecard, particularly the balances, from illicit third party access andtampering.

[0010] However, as noted above, cryptography incurs processing overhead.While in sophisticated devices having significant processing capacity,such as PCs and workstations, the overhead reduces overall systemthroughput, in other devices, with rather limited processing capacity,such as smart cards, remote controls and other “low-end” devices, theoverhead may be intolerable to the point of precluding the use ofsufficiently strong cryptographic techniques in such devices.

[0011] Hence, given the rapid and apparently ever-increasing desire inthe art to incorporate cryptographic techniques into a wide variety ofdevices, particularly those having limited processing power, a needcurrently exists in the art to reduce the processing time required toimplement cryptographic techniques.

[0012] In particular, processing overhead associated with certaincryptographic techniques, particularly in computing a checksum, might besharply reduced if a mod(M) operation could be replaced by an equivalentthough less processor-intensive operation(s). If this result could beachieved, then the overall throughput of highly sophisticated devices,such as personal computers and workstations that employ variouscryptographic techniques, could be advantageously increased.Furthermore, if such overhead could be reduced, then strongcryptographic techniques could be incorporated into a multitude ofcomputer-related devices which heretofore had insufficient processingpower to adequately support such techniques.

SUMMARY OF THE INVENTION

[0013] Advantageously, our present invention satisfies this need byimplementing a primitive for computing a checksum but advantageouslywithout any need for a mod(M) operation.

[0014] In accordance with our broad inventive teachings, this primitivereplaces the mod(M) operation with a series of simple elementaryregister operations. These operations include mod 2^(n) multiplications,order manipulations (e.g., byte or word swaps), and additions—all ofwhich are extremely simple to implement and require very few processingcycles to execute. Use of our inventive technique can significantlyreduce the processing time over that conventionally required to computevarious cryptographic parameters, such as, e.g., a messageauthentication code (MAC), or to implement a stream cipher.

[0015] Specifically, an elemental, illustrative and non-invertibleversion of our technique relies on computing the primitive through thefollowing sequence of equations:

x^(S)←wordswap(x)

y←Ax+Bx^(S) mod(2^(n))

y^(S)←wordswap(y)

z←Cy^(S)+yDmod(2^(n))

θ←z+y^(S) E mod(2^(n))

[0016] where:

[0017] coefficients A, B, C, D and E are each an odd random integer lessthan or equal to 2^(n); and

[0018] θ is an n-bit string.

[0019] For use in generating a MAC or other cryptographic parameter, thecoefficients are “secret”; however, when used to generate a checksum,these coefficients are publicly known.

[0020] Advantageously, our inventive technique has, as its feature, bothinvertible and non-invertible variants.

BRIEF DESCRIPTION OF THE DRAWINGS

[0021] The teachings of the present invention can be readily understoodby considering the following detailed description in conjunction withthe accompanying drawings, in which:

[0022]FIG. 1 depicts a block diagram of overall end-to-end cryptographicprocess 5 that utilizes the present inventive teachings toillustratively generate a message authentication code (MAC);

[0023]FIG. 2 depicts a high-level block diagram of a typicalInternet-based client-server processing environment that illustrativelyutilizes the present invention;

[0024]FIG. 3 depicts a block diagram of client computer 100 shown inFIG. 2;

[0025]FIG. 4 depicts a high-level flowchart of MAC generation process400, that is used in process 5 shown in FIG. 1, to produce a MAC inaccordance with our present inventive teachings;

[0026]FIG. 5 depicts a high-level flowchart of Alternative Compute Sumprocedure 500 that may be used in lieu of Compute Sum procedure 430 thatforms a portion of MAC generation process 400 shown in FIG. 4;

[0027]FIG. 6A depicts a typical word-swap operation as can be employedby our present invention; and

[0028]FIG. 6B depicts a typical byte-swap operation as can be employedby our present invention.

[0029] To facilitate understanding, identical reference numerals havebeen used, where possible, to designate identical elements that arecommon to the figures.

DETAILED DESCRIPTION

[0030] After considering the following description, those skilled in theart will clearly realize that the teachings of our present invention canbe utilized in any one of a wide range of cryptographic techniques whichinvolve computing a checksum. Such techniques are those which, e.g.,compute message authentication codes (MACs), or implement streamciphers.

[0031] To facilitate reader understanding, we will discuss our inventionin the context of its use in such a technique, though quite generalized,that could be employed in a client-server transaction processingenvironment where transaction messages are to be communicated over aninsecure communication network, such as the Internet, and specificallyin the context of computing a MAC employed in that technique.

[0032] A. Overview

[0033]FIG. 1 depicts a block diagram of overall end-to-end cryptographicprocess 5 which generates a MAC through use of our present invention.

[0034] As shown, incoming plaintext information, is organized intoso-called “messages”. Each such message 7, designated as P, is organizedas N blocks (P₁, P₂, . . . , P_(N)), with each block being n bits inwidth, which here n is illustratively 32 bits. Each such plaintext blockis applied, as symbolized by line 10, to encryption process 20. Thisprocess illustratively includes message encryption process 23 andinventive MAC generation process 400. Process 400 (which will bedescribed in detail below in conjunction with FIGS. 4 and 5), given theplaintext message, P, or a suitable cryptographic manipulation of it, asinput, generates, in accordance with our invention, a MAC, typically 64bits in length, that is unique to this message. Message encryptionprocess 23 encrypts the plaintext message into ciphertext and suitablyinserts the 64-bit MAC into the message, illustratively as twohighest-order blocks (C_(N−1), C_(N)) (a comma separating successivevalues in parentheses is used hereinafter as an operator to denoteconcatenation of those values), to yield ciphertext message, C. The twohighest-order blocks collectively form MAC 42. Depending on a specificencryption process employed within process 23, MAC 42 may itself beencrypted, such as through a well-known DES (Data Encryption Standard)encryption or another conventional pseudo-random permutation, or not.The ciphertext message is formed of N successive n-bit blocks ofciphertext.

[0035] Resulting ciphertext message C is then stored or transferred,through a given modality, e.g., an insecure communication channel,represented by dashed line 45 and typified by an Internet connection, toa recipient location. Here, a received version of the ciphertextmessage, denoted as {tilde over (C)} (also labeled as message 40′), isdecrypted by decryption process 50 to yield recovered plaintext message70 also denoted as plaintext message {circumflex over (P)}, which, to bevalid and thus suitable for downstream use, must be identical in allaspects to original plaintext message P. Decryption process 50 containsmessage decryption process 60, MAC generation process 400 and identitycomparator 90.

[0036] To determine whether the recovered plaintext message is valid,e.g., has not been altered, message decryption process 60 not onlyproduces the recovered plaintext but also extracts (and decrypts, ifnecessary) the MAC from ciphertext message {tilde over (C)}. A resultingrecovered MAC is applied, as symbolized by line 67, to one input ofcomparator 90. The recovered plaintext is also applied, as symbolized byline 77, to MAC generation process 400. Process 400 re-computes the MACfrom the recovered plaintext message {circumflex over (P)} and applies,as symbolized by line 80, a resulting recomputed MAC, to another inputof comparator 90. If both of these MACs then applied to correspondinginputs of comparator 90 identically match, then comparator 90 generatesa suitable indication on output 93 to indicate that the recoveredplaintext message {circumflex over (P)}, then appearing on output lead73, is valid for subsequent use. Otherwise, if the recovered andrecomputed MACs do not match, comparator 90 generates a suitableindication on output 97 to indicate that the recovered plaintext message{circumflex over (P)}, then appearing on output 73, is invalid andshould be ignored. Inasmuch as the specific nature, apart from thegeneration of a MAC, of the encryption and decryption techniques used inencryption process 23 and message decryption process 60, respectively,are irrelevant to the present invention and any one of a wide variety ofsuch techniques can be successfully used, we shall not discuss theseaspects in any further detail. Nevertheless, we describe and claim onesuch illustrative cryptographic technique in our co-pending UnitedStates patent applications (to which the reader is referred) entitled:“Cryptographic Technique That Provides Fast Encryption and Decryptionand Assures Integrity of a Ciphertext Message” filed Apr. 20, 1998, Ser.No. 09/062,836; and “Method and Apparatus for Producing A MessageAuthentication Code” filed Apr. 20, 1998, Ser. No. 09/062,837—both ofwhich are incorporated by reference herein and have been assigned to thecommon assignee hereof.

[0037] B. Illustrative Processing Environment

[0038] With the above in mind, consider FIG. 2 which depicts ahigh-level block diagram of client-server processing environment 200that utilizes the present invention.

[0039] As shown, this environment contains computer 205 which implementsserver 210, the latter illustratively being a web server. A number ofindividual remotely-located client computers, each being illustrativelya personal computer (PC), of which only one such client, i.e., clientcomputer 100, is specifically shown, is connected using appropriatecommunications channels, such as channels 140 and 160, through aninsecure communications network, here shown as illustratively Internet150, to computer 205. A user (not specifically shown), stationed atclient computer 100 and desirous of obtaining information from theserver can invoke corresponding client program 130 at client computer100. The client program forms one of a number of application programs120 that collectively reside within and are executed by client computer100. Though the client program is specifically shown as residing withinthe application programs, the former can also be implemented as acomponent, such as a web browser, of an operating system (O/S), forexample, of O/S 337 shown in FIG. 3. Server 210, shown in FIG. 2, canimplement any of a wide variety of application functions including, forexample, a commerce server, a banking server, an electronic mail or afile server. As to electronic commerce, the user might desire to conducta commercial transaction, through client computer 100 and server 210,that involves providing (as symbolized by line 110) information to theserver, such as an account number of the user at a financial institutionand payment instructions to transfer funds to a payee, or obtaininginformation (as symbolized by line 135) from the server, such asavailable account or credit balances of the user, which, in eitherevent, is confidential to that user. Alternatively, server 210 may be afile server that provides the user with access to various files storedin a repository, any of which the user can download. Once such a file isdownloaded, it can be stored within memory 330 (see FIG. 3) situatedwithin client computer 100 for local use thereat. However, any such filemay contain proprietary and/or confidential information for which itsowner desires to control user access. For example, such a file can be aself-installing executable file of an update for a given program, forwhich its owner, e.g., a software manufacturer, desires to preventillicit public access, i.e., preventing the update from being used byany individual who has not remitted appropriate payment for it. Server210 itself, as shown in FIG. 2, may also provide confidential orproprietary information (as symbolized by line 215) which originatesfrom the user (and was transmitted via network (here Internet) 150 tothe server) to downstream equipment (not specifically shown) forsubsequent processing, or receive (as symbolized by line 218)confidential or proprietary information from downstream equipment foreventual transmission, via the network, to the user.

[0040] Network 150, being illustratively the Internet, is susceptible tobeing compromised by a third-party. In that regard, the third partycould intercept a conventionally enciphered message then being carriedover the network and emanating from, e.g., client computer 100, for,e.g., an on-going financial transaction involving a user situatedthereat. While the third party may not have sufficient resources eitherin terms of available processing capacity or time to break aconventional cipher used for encrypting messages and recover theplaintext inherent in the transmitted message, that party maynevertheless possess sufficient knowledge of the ciphertext message,specifically its structural organization, and equipment needed tosuccessfully change that message to the detriment of the user. In thatregard, the third party might illicitly tamper with the ciphertextmessage by substituting one or more predefined ciphertext blocks forcorresponding original ciphertext blocks and then transmit a resultingmodified ciphertext message back onto the network for carriage tocomputer 205 for processing thereat.

[0041] To safeguard the confidential or proprietary nature of theinformation transiting over network 150 between client computer 100 andcomputer 205, from third-party access, both client program 130 andserver 210 each utilizes cryptographic communication throughincorporation of encryption process 20 and decryption process 50therein. As such, messages destined for network carriage and generatedby one network application peer, either client program 130 or server210, are each encrypted by encryption process 20 therein to yieldcorresponding ciphertext messages with embedded MACs, which, in turn,are then each transmitted over network 150 to the other networkapplication peer. Similarly, ciphertext messages received, from thenetwork, by each of the peers is decrypted by decryption process 50therein to yield an appropriate recovered plaintext message and anindication as to its validity. Encryption and decryption procedures 20and 50 are inverse procedures of each other.

[0042] C. Client Computer 100

[0043]FIG. 3 depicts a block diagram of client computer (PC) 100.

[0044] As shown, client computer 100 comprises input interfaces (I/F)320, processor 340, communications interface 350, memory 330 and outputinterfaces 360, all conventionally interconnected by bus 370. Memory330, which generally includes different modalities, includingillustratively random access memory (RAM) 332 for temporary data andinstruction store, diskette drive(s) 334 for exchanging information, asper user command, with floppy diskettes, and non-volatile mass store 335that is implemented through a hard disk, typically magnetic in nature.Mass store 335 may also contain a CD-ROM or other optical media reader(not specifically shown) (or writer) to read information from (and writeinformation onto) suitable optical storage media. The mass store storesoperating system (O/S) 337 and application programs 120; the latterillustratively containing client program 130 (see FIG. 2) whichincorporates our inventive technique. O/S 337, shown in FIG. 3, may beimplemented by any conventional operating system, such as the WINDOWS NToperating system (“WINDOWS NT” is a registered trademark of MicrosoftCorporation of Redmond, Wash.). Given that, we will not discuss anycomponents of O/S 337 as they are all irrelevant. Suffice it to say,that the client program, being one of application programs 120, executesunder control of the O/S.

[0045] Advantageously, our present inventive technique, when embeddedfor use within cryptographic encryption and decryption modules,advantageously saves processing time thereby increasing the throughputof both client computer 100 and server 210 (see FIG. 2).

[0046] As shown in FIG. 3, incoming information can arise from twoillustrative external sources: network supplied information, e.g., fromthe Internet and/or other networked facility, through network connection140 to communications interface 350, or from a dedicated input source,via path(es) 310, to input interfaces 320. Dedicated input can originatefrom a wide variety of sources, e.g., an external database. In addition,input information, in the form of files or specific content therein, canalso be provided by inserting a diskette containing the information intodiskette drive 334 from which computer 100, under user instruction, willaccess and read that information from the diskette. Input interfaces 320contain appropriate circuitry to provide necessary and correspondingelectrical connections required to physically connect and interface eachdiffering dedicated source of input information to computer system 100.Under control of the operating system, application programs 120 exchangecommands and data with the external sources, via network connection 140or path(es) 310, to transmit and receive information typically requestedby a user during program execution.

[0047] Input interfaces 320 also electrically connect and interface userinput device 395, such as a keyboard and mouse, to computer system 100.Display 380, such as a conventional color monitor, and printer 385, suchas a conventional laser printer, are connected, via leads 363 and 367,respectively, to output interfaces 360. The output interfaces providerequisite circuitry to electrically connect and interface the displayand printer to the computer system. As one can appreciate, our presentinventive cryptographic technique can operate with any type of digitalinformation regardless of the modalities through which client computer100 will obtain, store and/or communicate that information.

[0048] Furthermore, since the specific hardware components of computersystem 100 as well as all aspects of the software stored within memory335, apart from the modules that implement the present invention, areconventional and well-known, they will not be discussed in any furtherdetail. Generally speaking, computer 205 has an architecture that isquite similar to that of client computer 100.

[0049] D. Limitation Posed by Modulo Arithmetic in ConventionalCryptographic Techniques

[0050] Conventional cryptographic techniques frequently employ, as aprimitive, a checksum that requires computing mod(M), where M is a largeprime number, such as, e.g., 2³¹−1 or larger.

[0051] Unfortunately, a mod(M) operation requires on the order of atleast 10-15 machine cycles, if not more (based on the value of modulusM), to compute. This function is repeatedly calculated during bothconventional encryption and decryption operations. As such, if such atechnique were being implemented on a device with significant processingcapacity, such as a PC or workstation, the mod(M) computations wouldreduce overall throughput, perhaps noticeably. However, thiscomputational overhead may be intolerable in devices that have ratherlimited processing capacity and hence precludes use of thiscryptographic technique in those devices—where its use could be quitebeneficial.

[0052] E. Our Inventive Technique and Its Implementation

[0053] Recognizing this deficiency in the art, we have developed atechnique for implementing a checksum that advantageously does notrequire a mod(M) operation.

[0054] Our technique implements the checksum as a relatively simpleseries of elementary register operations. These operations include mod2^(n) multiplications, order manipulations (being an operation whichchanges bit ordering in a block, such as, e.g., byte or word swaps) andadditions—all of which are extremely simple to implement and requirevery few processing cycles to execute. The operations used in theprimitive can also be pipelined rather effectively. Hence, use of theprimitive based on our invention, particularly if pipelined, cansignificantly reduce the processing time over that conventionallyrequired to compute various cryptographic parameters, such as, e.g., amessage authentication code (MAC), or to implement a stream cipher. Webelieve that our inventive technique can also be advantageouslyincorporated into certain ciphers to enhance the security of thoseciphers against certain plaintext-ciphertext attacks.

[0055] We start with the following mathematical definitions: F(x)=θ, anda superscript “S”, i.e., as in x^(S), denotes either an appropriatebyte- or word-swap operation.

[0056] To digress slightly, FIGS. 6A and 6B depict word-swap andbyte-swap operations, respectively. Given n-bit block 610(illustratively 32 bits in length) with two 16-bit words (e.g., words613 and 617 also labeled L and R for “left” and “right”, respectively),a word-swap operation, symbolized by line 620, produces n-bit block 630with these words switched in position (i.e., with words 633 and 637 thatare identical to words 617 and 613, respectively). Such an operation canbe implemented in one processing cycle by simply exchanging theindividual words as shown by arrow 625. Given n-bit block 650 (alsoillustratively 32 bits in length) with individual eight-bit bytes 652,654, 656 and 658 (also labeled as bytes A, B, C, D, respectively), abyte-swap operation symbolized by line 660, produces n-bit block 670having these four bytes reversed in sequence (i.e., with bytes 672, 674,676 and 678 being identical to bytes 658, 656, 654 and 652,respectively). The byte-swap operation can be implemented in oneprocessing cycle by exchanging individual bytes in parallel, as shown byarrows 665.

[0057] With these definitions in mind, a non-invertible version of theprimitive F(x) that implements a checksum, specifically f(x)=aχ+bmod(M),by computing, in accordance with our inventive teachings, equations(1)-(5) as follows in sequence:

x^(S)←wordswap(x)  (1)

y←Ax+Bx^(S) mod(2^(n))  (2)

y^(S)←wordswap(y)  (3)

z←Cy^(S)+yDmod(2^(n))  (4)

θ←z+y^(S) E mod(2^(n))  (5)

[0058] where:

[0059] coefficients A, B, C, D and E are each an odd random integer lessthan or equal to 2^(n); and

[0060] θ is an n-bit string.

[0061] As can be seen, these equations are implemented using elementaryregister operations, i.e., order manipulations (e.g., word- orbyte-swaps, additions and mod(2^(n)) multiplications). Consequently,these operations can be performed using relatively few processingcycles—certainly considerably less than the 10-15 cycles required toperform a mod(M) operation. Though we have shown equations (1) and (3)using word-swap operations, byte-swap operations (or possibly othermanipulations that change the bit ordering) could be used instead. Foruse in generating a MAC or other various cryptographic terms,coefficient values A, B, C, D and E are “secret” values, i.e., notpublicly disclosed.

[0062] An invertible version of the primitive F(x) that implements f(x),also in accordance with our inventive teachings, through equations(6)-(15) as follows:

y←Ax mod(2^(n))  (6)

y^(S)←wordswap(y)  (7)

z←By^(S) mod(2^(n))  (8)

z^(S)←wordswap(z)  (9)

ν←Cz^(S) mod(2^(n))  (10)

ν^(S)←wordswap(ν)  (11)

w←Dν^(S) mod(2^(n))  (12)

w^(S)←wordswap(w)  (13)

t←Ew^(S) mod(2^(n))  (14)

θ←t+Ly^(S) mod(2^(n))  (15)

[0063] where:

[0064] coefficients A, B, C, D and E are each an odd random integer lessthan or equal to 2^(n); and

[0065] L is a random integer less than or equal to 2^(n).

[0066] Here, too, when generating a MAC or various other cryptographicterms, the coefficient values A, B, C, D, E and G are all “secret”values. Alternatively, equations (6)-(12) could be used to implement theprimitive, with F(x)=w. Moreover, a “reverse” operation (where all thebits in a block are completely reversed in sequence)—which is anothertype of order manipulation—could be used in lieu of a byte- orword-swap. For example, the primitive F(x) for an invertible form off(x) could be implemented, in accordance with our invention, throughequations (16)-(19) as follows:

y←Hx mod(2^(n))  (16)

z←reverse(y)  (17)

s←Jz mod(2^(n))  (18)

θ←s+K mod(2^(n))  (19)

[0067] where:

[0068] coefficients H, J, and K are each a random integer less than orequal to 2^(n).

[0069] If this primitive were to be used to generate a MAC or othercryptographic term, then coefficients H, J and K would be “secret”values. Since a reverse operation is relatively slow compared to a byte-or word-swap operation, the use of the primitives given by equations(6)-(12) or (6)-(15) above is preferred over that given by equations(16)-(19).

[0070] Clearly, based on the above description, those skilled in the artcan readily devise various other primitives, F(x), that provideequivalent cryptographic characteristics for f(x)=ax+bmod(M) and whichutilize, in accordance with our invention, mod 2^(n) multiplications,order manipulations and additions—but not a mod(M) operation—and hencecan substitute for the specific primitives described above.

[0071] As discussed above, a generalized primitive based on ourinventive technique can be used to generate a MAC. To do so, a series ofprimitives F₁(x), F₂(x), . . . , F_(p)(x), for function f(x), that arenon-invertible and of the same form noted above (as F(x)), are selectedbut with different values for the corresponding “secret” coefficients,i.e., if F₁(x) has “secret” coefficients A, B, C, D and E, then F₂(x)has “secret” coefficients a, b, c, d and e and so forth. Thereafter,given an input sequence X=x₁, x₂, . . . , x_(N) of n-bit strings,corresponding output values (intermediate results) Y=y₁, y₂, . . . ,y_(N), are computed according to equations (20)-(25) as follows usingsuccessive ones of these p primitives (where p<n) for correspondingsuccessive input values x_(i):

y ₁ =F ₁(x ₁)  (20)

y ₂ =F ₂(x ₂ +y ₁)  (21)

y ₃ =F ₃(x ₃ +y ₂)  (22)

y _(p) =F _(p)(x _(p) +y _(p−1))  (23)

•

•

•

y _(p+1) =F ₁(y _(p) +x _(p+1))  (24)

y _(p+2) =F ₂(y _(p+1) +x _(p+2))  (25)

•

•

•

[0072] The MAC can then be formed, in accordance with equation (26) as afunction of the intermediate results, as follows: $\begin{matrix}{{MAC} = \left( {y_{N},{\sum\limits_{i = 1}^{N \cdot}y_{i}}} \right)} & (26)\end{matrix}$

[0073] For added security, equation (25) can be modified by introducinga secret or random permutation (γ_(i)) for each y_(i) term in the sum,as shown by equation (27) as follows: $\begin{matrix}{{MAC} = \left( {y_{N},{\sum\limits_{i = 1}^{N}{\gamma_{i}y_{i}}}} \right)} & (26)\end{matrix}$

[0074] where:

[0075] γ_(i) is selected randomly or as a “secret” predefined valuewithin a range of ±k inclusive, i.e., γ_(i)ε{k,k−1,k−2, . . . ,0,−1,−2,. . . ,−k}, where k is a predefined integer. For simplicity, each γ_(i)may be set to the value +1 or −1 with either a random, pseudo-random or“secret” predefined variation among all such γ_(i).

[0076] Though equations (20)-(25) utilize a repeating series of the samep primitives, different such series can be used instead. Each series offunctions will produce a separate output hash value y which can then beconcatenated together to form a MAC or an individual output, y, of eachof the primitives can be summed through use of equation (26) to yieldthe MAC value. Furthermore, one series could be run, with forwardchaining, as indicated by, e.g., equations (20)-(23). A next run of thesame series, such as that indicated by, e.g., equations (24) and (25),or a next run of a different series could be run with “backward”chaining. Where backward chaining is used, associated input values couldbe applied in a reversed order, with respect to those used with forwardchaining, to the individual primitives in that series.

[0077] Where our inventive technique is used to compute a checksum, thecomputations are highly similar, if not identical, to those used tocompute a MAC but with all the coefficient values, as well as all theγ_(i) values, if used, being publicly known.

[0078] With the above in mind, we will now turn to describing thesoftware needed to generate a MAC for use by encryption process 20 andin accordance with a primitive that implements our inventive technique.

[0079]FIG. 4 depicts a high-level flowchart of MAC generation process400 that is used in process 5 shown in FIG. 1 for producing a MAC. Thisroutine implements equations (20)-(25) as discussed above, as assumesthat primitives F(x) and G(x) have been completely selected.

[0080] In particular, upon entry into routine 410, during execution ofeither encryption process 20 or decryption process 50, execution firstproceeds, as shown in FIG. 4, to block 410. This block initializes apointer (i) to one and a sum variable (y_(s)) to zero. Thereafter,execution enters a loop formed of blocks 420, 430, 440, and 450 tocalculate successive output values, y_(i), for each input plaintextblock (P_(i)) as input, and to accumulate these output values into thesum variable, y_(s).

[0081] Specifically, upon entry into this loop, execution first proceedsto block 420 to calculate output value y_(i) as equaling F(P₁). Oncethis occurs, execution proceeds to Compute Sum procedure 430 whichthrough block 435 simply adds the value of output y_(i) to the sumvariable, y_(s). Once this occurs, execution proceeds to decision block440 to determine if all N blocks of input plaintext message P have beenprocessed, i.e., whether a current value of pointer i then equals N. Inthe event any such blocks remain, i.e., the current value of i is lessthan N, then decision block 440 routes execution, via NO path 443, toblock 450. This latter block increments the value of pointer i by oneand then directs execution, via feedback path 455, back to block 420 tocompute the next successive output value, and so forth. At this point,the computations performed by block 420 will depend on whether, for anygiven iteration through block 420, the value of i is then even or odd;hence alternating between primitives F(x) and G(x) for successive i.

[0082] Once all the output values have been calculated and summed,decision block 440 routes execution, via YES path 447, to block 460.This latter block simply forms the MAC by concatenating the value ofy_(N) with a current value of the sum variable and supplying, as output,a resulting 64-bit value as the MAC. Once this occurs, execution exitsfrom routine 400.

[0083]FIG. 5 depicts a high-level flowchart of Alternative Compute Sumprocedure 500 that may be used in lieu of Compute Sum procedure 430 thatforms a portion of MAC generation process 400. Procedure 500 implementsequation (26) above.

[0084] In particular, upon entry into procedure 500, execution firstproceeds to block 510 which sets a value of γ_(i) appropriately. Asnoted above, this value may be random, pseudo-random or pre-definedwithin a range of ±k (though values of ±1 are typically used). Once thisvalue has been set, execution proceeds to block 520 which multiplies thecurrent output value y_(i) by the corresponding value of γ_(i) and addsa resulting value into the sum variable, y_(s). Once this occurs,execution then exits from procedure 500.

[0085] Clearly, those skilled in the art will realize that though theMAC (or checksum) has been described as being 64 bits in length, i.e.,two 32-bit blocks, MACs (and checksums) of other bit (and block) sizes,such as a single 32-bit block or more than 64 bits long (but sized ininteger blocks) may be used instead. Larger MACs provide greater levelsof security, to the extent it is warranted, though at a likely cost ofincreased processing time to produce the MAC, and, where required, toencrypt and decrypt it.

[0086] Although a detailed embodiment, with a number of variations,which incorporates the teachings of the present invention has been shownand described in detail herein, those skilled in the art can readilydevise many other embodiments and applications of the present inventionthat still utilize these teachings.

We claim:
 1. A process, for use in a device, for producing a parameterfrom a plurality (N) of successive blocks (x₁, x₂, . . . , x_(n)) ofinput digital plaintext, wherein the process implements a primitive,F(x), that provides equivalent cryptographic characteristics toproperties of a predefined function f(x)=ax+bmod(M) where a and b arepredefined integers and M is a predefined integer prime number, thedevice having: a processor; and a memory connected to the processor andhaving a computer program formed of computer executable instructionsstored therein; and the process comprises the step, performed by theprocessor and implemented through the executable instructions, of:generating the parameter by processing the blocks of the plaintextthrough a predetermined procedure that comprises, as the primitive, apredefined sequence of order manipulations, additions and mod(2^(n))multiplication operations (where n is a predefined integer) whichcollectively implement the primitive but without calculating a value formod(M), whereby the primitive exhibits reduced processing time.
 2. Theprocess in claim 1 wherein each of the order manipulations is apredefined operation that changes a bit order of a block of data onwhich said each order manipulation is being performed.
 3. The process inclaim 2 further comprising the steps performed by the processor and inresponse to the executable instructions, of: generating a plurality ofintermediate results, y_(i), (N≧i≧1), in accordance with the followingequations: y ₁ =F ₁(x ₁) y ₂ =F ₂(x ₂ +y ₁) y ₃ =F ₃(x ₃ +y ₂) y _(p) =F_(p)(x _(p) +y _(p−1)) •••y _(p+1) =F ₁(y _(p) +x _(p+1)) y _(p+2) =F₂(y _(p+1) +x _(p+2)) ••• where: F₁(x), F₂(x), . . . , F_(p)(x) areprimitives of the same form where p<n; and generating the parameter inresponse to a predefined function of the intermediate results.
 4. Theprocess in claim 3 wherein the parameter generating step furthercomprises the step of producing the parameter as a concatenation of thevalues of y_(N) and a sum of the intermediate results.
 5. The process inclaim 3 wherein the parameter generating step further comprises the stepof producing the parameter as a concatenation of the values of y_(N) and$\sum\limits_{i = 1}^{N}{\gamma_{i}y_{i}}$

where: for each i, γ_(i) has a predefined or random value within a rangeof ±k inclusive, k being a predefined integer.
 6. The process in claim 3wherein said each order manipulation is a byte- or word-swap, or reverseoperation.
 7. The process in claim 4 further comprising the stepsperformed by the processor and in response to the executableinstructions, of: implementing the primitive F₁ (x) in accordance withthe following equations: x^(S)←wordswap(x) y←Ax+Bx^(S) mod(2^(n))y^(S)←wordswap(y) z←Cy^(S)+yDmod(2^(n)) θ←z+y^(S) E mod(2^(n)) where:coefficients A, B, C, D and E are each an odd random integer less thanor equal to 2^(n); and θ is an output string; and implementing theprimitive F₂(x) in accordance with the following equations:x^(S)←wordswap(x) y←ax+bx^(S) mod (2^(n)) y^(S)←wordswap(y)z←cy^(S)+ydmod(2^(n)) θ←z+y^(S)e mod(2^(n)) where: coefficients a, b, c,d, and e correspond to coefficients A, B, C, D and E but have differentrespective values therefrom.
 8. The process in claim 7 wherein thecoefficients for primitives F₁(x), F₂(x), . . . , F_(p)(x) are secret,and a message authentication code is formed from the parameters.
 9. Theprocess in claim 8 wherein the parameter generating step furthercomprises the step of producing the parameter as a concatenation of thevalues of y_(N) and a sum of the intermediate results.
 10. The processin claim 8 wherein the parameter generating step further comprises thestep of producing the parameter as a concatenation of the values ofy_(N) and $\sum\limits_{i = 1}^{N}{\gamma_{i}y_{i}}$

where: for each i, γ_(i) has a predefined or random value within a rangeof ±k inclusive, k being a predefined integer.
 11. The process in claim7 wherein the coefficients for primitives F₁(x), F₂(x), . . . , F_(p)(x)are publicly known, and the parameter is a checksum.
 12. The process inclaim 11 wherein the parameter generating step further comprises thestep of producing the parameter as a concatenation of the values ofy_(N) and a sum of the intermediate results.
 13. The process in claim 11wherein the parameter generating step further comprises the step ofproducing the parameter as a concatenation of the values of y_(N) and$\sum\limits_{i = 1}^{N}{\gamma_{i}y_{i}}$

where: for each i, γ_(i) has a predefined or random value within a rangeof ±k inclusive, k being a predefined integer.
 14. A computer readablemedium having computer executable instructions stored therein forperforming the steps of claim
 1. 15. Apparatus for producing a parameterfrom a plurality (N) of successive blocks of input digital plaintext(x₁, x₂, . . . , x_(n)), wherein the process implements a primitive,F(x), that provides equivalent cryptographic characteristics toproperties of a predefined function f(x)=ax+bmod(M) where a and b arepredefined integers and M is a predefined integer prime number, theapparatus comprising: a processor; and a memory connected to theprocessor and having a computer program formed of computer executableinstructions stored therein; wherein the processor, in response to theexecutable instructions: generates the parameter by processing theblocks of the plaintext through a predetermined procedure thatcomprises, as the primitive, a predefined sequence of ordermanipulations, additions and mod(2^(n)) multiplication operations (wheren is a predefined integer) which collectively implement the primitivebut without calculating a value for mod(M), whereby the primitiveexhibits reduced processing time.
 16. The apparatus in claim 15 whereineach of the order manipulations is a predefined operation that changes abit order of a block of data on which said each order manipulation isbeing performed.
 17. The apparatus in claim 16 wherein the processor, inresponse to the executable instructions: generates a plurality ofintermediate results, y_(i), (N≧i≧1), in accordance with the followingequations: y ₁ =F ₁(x ₁) y ₂ =F ₂(x ₂ +y ₁) y ₃=F₃(x ₃ +y ₂) y _(p) =F_(p)(x _(p) +y _(p−1)) •••y _(p+1) =F ₁(y _(p) +x _(p+1)) y _(p+2) =F₂(Y _(p+1) +x _(p+2)) ••• where: F₁(x), F₂(x), . . . , F_(p)(x) areprimitives of the same form where p<n; and generates the parameter inresponse to a predefined function of the intermediate results.
 18. Theapparatus in claim 17 wherein the parameter generating step furthercomprises the step of producing the parameter as a concatenation of thevalues of y_(N) and a sum of the intermediate results.
 19. The apparatusin claim 17 wherein the processor, in response to the executableinstructions, produces the parameter as a concatenation of the values ofy_(N) and $\sum\limits_{i = 1}^{N}{\gamma_{i}y_{i}}$

where: for each i, γ_(i) has a predefined or random value within a rangeof ±k inclusive, k being a predefined integer.
 20. The apparatus inclaim 17 wherein said each order manipulation is a byte- or word-swap,or reverse operation.
 21. The apparatus in claim 20 wherein theprocessor, in response to the executable instructions: implements theprimitive F₁(x) in accordance with the following equations:x^(S)←wordswap(x) y←Ax+Bx^(S) mod(2^(n)) y^(S)←wordswap(y)z←Cy^(S)+yDmod(2^(n)) θ←z+y^(S) E mod(2^(n)) where: coefficients A, B,C, D and E are each an odd random integer less than or equal to 2^(n);and θ is an output string; and implements the primitive F₂(x) inaccordance with the following equations: x^(S)←wordswap(x) y←ax+bx^(S)mod(2^(n)) y^(S)←wordswap(y) z←cy^(S)+ydmod(2^(n)) θ←z+y^(S) emod(2^(n)) where: coefficients a, b, c, d, and e correspond tocoefficients A, B, C, D and E but have different respective valuestherefrom.
 22. The apparatus in claim 21 wherein the coefficients forprimitives F₁(x), F₂(X), . . . , F_(p)(x) are secret, and a messageauthentication code is formed from the parameters.
 23. The apparatus inclaim 22 wherein the parameter generating step further comprises thestep of producing the parameter as a concatenation of the values ofy_(N) and a sum of the intermediate results.
 24. The apparatus in claim22 wherein the processor, in response to the executable instructions,produces the parameter as a concatenation of the values of y_(N) and$\sum\limits_{i = 1}^{N}{\gamma_{i}{y_{i}.}}$

where: for each i, γ_(i) has a predefined or random value within a rangeof ±k inclusive, k being a predefined integer.
 25. The apparatus inclaim 21 wherein the coefficients for primitives F₁(x), F₂(x), . . . ,F_(p)(x) are publicly known, and the parameter is a checksum.
 26. Theapparatus in claim 25 wherein the parameter generating step furthercomprises the step of producing the parameter as a concatenation of thevalues of y_(N) and a sum of the intermediate results.
 27. The apparatusin claim 25 wherein the processor, in response to the executableinstructions, produces the parameter as a concatenation of the values ofy_(N) and $\sum\limits_{i = 1}^{N}{\gamma_{i}y_{i}}$

where: for each i, γ_(i) has a predefined or random value within a rangeof ±k inclusive, k being a predefined integer.